b'                                                          US OFFICE OF PERSONNEL MANAGE1vlENT\n                                                              OFFICE OF THE INSPECTOR GENERAL\n                                                                               OFFICE OF AUDITS\n\n\n\n\n  . EillalAuditReport\n   Subject:\n\n\n    . ..AUDIT OF THE SECURITY OF PERSONALLY ..\n    "..\xc2\xb7 IDltNTIFIABLE.INF01ThiATION IN TIlE FEDERAL\n.,\':,. "\'~~\xc2\xa5.~S!IG~~IlYE:Stll.VICES DIVISION ()FTHE\n        \'.\' \xc2\xb7\xc2\xb7\';U~S.OFFICEOF.PERSONNELMANAGEMENT\'\n          .   "   _;r\'   .   \'.   _   ,"".,   _   \'",   ,\',   ."        \xe2\x80\xa2   .       \' . , .       .   .\xe2\x80\xa2        .   .\n\n\n\n\n                                         .. \'.\xe2\x80\xa2. . \xc2\xb7\xc2\xb7.RePQrtNO~\xc2\xb7      4A~IS~OO-08..014\n\n                                                  . Date: \'April        .21, 2009\n\n\n\n\n                                                                   --CAUTION-\xc2\xad\n       This 9udil,reporl hasbeendistributed toFederal officials ,,,hi> are responsible for the administration ofthe audited program.\n       Thi~ ~udilreport may contain proprietary data which is protected by Federal law (IS U.S.c. 1905); therefore, while this audit\n     , .reporl is avail a ble under the Freedom of Information Act, caution needs to beexerdSl!d lxfore rdeasing tbe report to the \'\n       gen\'eral pil bJi c.                             \' ,                                                             .\n\x0c                        UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                           Washington. DC 20415\n\n\n   Office of the\nInspector General\n\n\n\n                                        AUDIT REPORT\n\n\n\n\n                        AUDIT OF THE SECURITY OF PERSONALLY \n\n                      IDENTIFIABLE INFORMATION IN THE FEDERAL \n\n                       INVESTIGATIVE SERVICES DIVISION OF THE \n\n                        U.S. OFFICE OF PERSONNEL MANAGEMENT \n\n\n\n\n\n                        Report No. 4A-IS-OO-08-014   Date:    April 21, 2009\n\n\n\n\n                                                                  Michael R. Esser\n                                                                  Assistant Inspector General\n                                                                    for Audits\n\n\n\n\n        www.opm.gov                                                                  www.usajobs.gov\n\x0c                           UNITED STATES OFFICE OF PERSONNEL MANAGEMENT \n\n                                               Washington. DC 20415 \n\n\n\n  Office of the\nInspector General\n                                       EXECUTIVE SUMMARY\n\n\n\n                        AUDIT OF THE SECURITY OF PERSONALLY \n\n                     IDENTIFIABLE INFORMATION IN THE FEDERAL \n\n                       INVESTIGATIVE SERVICES DIVISION OF THE \n\n                        U.S. OFFICE OF PERSONNEL MANAGEMENT \n\n\n\n\n                          Report No. 4A-IS-OO-08-014         Date: April 21\xc2\xab 2009\n\n\n        The Office of the Inspector General has completed a performance audit on personally\n        identifiable information (PH) in the Federal Investigative Services Division (FISD) of the U.S.\n        Office of Personnel Management (OPM). Our main objective was to determine whether FISD\n        has effectively implemented controls for the storage, security, and transmission of PI!. In order\n        to make this determination, our audit included the following specific objectives: (1) determine\n        whether FISD\'s and contractors\' employees are adhering to the contract temls, OPM and Federal\n        policy, and internal policies regarding the controls over PII; (2) determine whether all personnel\n        have been adequately trained in the proper handling ofPII; and (3) determine whether FISD\'s\n        and contractors\' employees are properly reportipg incidents of the loss or compromise of\n        information containing PlI.\n\n        Our audit was conducted from March 25 through December 2, 2008 at OPM headquarters,\n        located in Washington D.C.; FISD headquarters, located in Boyers, Pennsylvania; and contractor\n        sites located in Chantilly, Virginia; Loveland, Colorado; and Boyers, Pennsylvania. Our audit\n        disclosed seven areas requiring improvement, including instances in which FISD requirements or\n        policies and procedures were not followed by the Contractors, as weJl as instances in which\n        FISD controls were inadequate or absent altogether.\n\n             A.     Training\n\n                     1.     No Security Awareness Training for New Hires                   Procedural\n\n                            FISD\'s contractors did not provide OPM Information\n                            Technology Security Awareness Training to new employees\n                            within 30 days of their initial hiring.\n\n\n\n\n        www._                                                                                 www.usajobs.gov\n\x0c      2.   No PII Training for Contractors                               Procedural\n\n           FISD did not require Goodwill employees to be trained on\n           the collection of bins containing documentation to be\n           shredded, observation of the shredding process, and\n           safeguarding of PII. In addition, we could not determine\n           whether Iron Mountain employees, responsible for handling\n           the bins, have received appropriate PII training.\n\n\nB.   Incident Reporting\n\n      1.   Lack of Controls for Contractor Incident Reporting            Procedural\n\n           FISD\xe2\x80\x99s contractors did not report the loss of PII in\n           accordance with FISD\xe2\x80\x99s \xe2\x80\x9cLoss or Compromise of Personally\n           Identifiable Information\xe2\x80\x9d policy.\n\n      2.   Lack of Controls for FISD Incident Reporting                  Procedural\n\n           FISD\xe2\x80\x99s controls for reporting the loss or compromise of PII\n           do not ensure that incidents are reported timely, in\n           accordance with their \xe2\x80\x9cLoss or Compromise of PII\xe2\x80\x9d policy.\n\n\nC.   Investigative Case Notes\n\n      1.   Lack of Controls for the Timely Return of Investigative       Procedural\n           Case Notes\n\n           FISD\xe2\x80\x99s contractors do not have controls in place to ensure\n           that case notes are returned to their Program Management\n           Office within two weeks, as required by their contract with\n           FISD.\n\n      2.   Lack of Controls over the Return of Investigative Case        Procedural\n           Notes\n\n           FISD investigative case notes were destroyed prior to the\n           expiration of the three-year retention period. In addition,\n           FISD does not have a method for ensuring that background\n           investigators return investigative case notes once the\n           background case is closed.\n\n\n\n\n                                         ii\n\x0cD.   Telework\n\n     1.   Lack of Controls for the Handling of PII While            Procedural\n          Employees Telework\n\n          FISD does not have an adequate method of tracking the\n          removal and return of background cases and related case\n          materials while employees telework.\n\n\n\n\n                                      iii\n\x0c                           TABLE OF CONTENTS\n\n                                                                             Page\n\n      EXECUTIVE SUMMARY \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.........................................         i\n\n  I. INTRODUCTION AND BACKGROUND ........................................      1\n\n II. OBJECTIVES, SCOPE, AND METHODOLOGY ............................           4\n\nIII. AUDIT FINDINGS AND RECOMMENDATIONS .........................              6\n\n      A. Training\n         1. No Security Awareness Training for New Hires\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..               6\n         2. No PII Training for Contractors \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                     8\n\n      B. Incident Reporting\n         1. Lack of Controls for Contractor Incident Reporting \xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6..         9\n         2. Lack of Controls for FISD Incident Reporting \xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.            11\n\n      C. Investigative Case Notes\n         1. Lack of Controls for the Timely Return of Investigative Case\n            Notes \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6..                                  12\n         2. Lack of Controls over the Return of Investigative Case\n            Notes \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                   13\n\n      D. Telework\n         1. Lack of Controls for the Handling of PII While Employees\n            Telework\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6                                   15\n\nIV.   MAJOR CONTRIBUTORS TO THIS REPORT\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                             17\n\n      APPENDIX        (Federal Investigative Services Division\xe2\x80\x99s response,\n                       dated January 30, 2009, to our draft report.)\n\x0c                     I. INTRODUCTION AND BACKGROUND\nIntroduction\n\nThis final audit report details the findings, conclusions, and recommendations resulting from our\nperformance audit of the Security of Personally Identifiable Information (PII) in the Federal\nInvestigative Services Division (FISD) of the U.S. Office of Personnel Management (OPM).\n\nThe audit was performed by OPM\'s Office of the Inspector General (OIG), at the request of\nformer Director Linda M. Springer and as authorized by the Inspector General Act of 1978, as\namended.\n\nBackground\n\nFISD, headquartered in Boyers, Pennsylvania, conducts background investigations for Federal\nagencies so they can make suitability and national security decisions regarding personnel. FISD\nis responsible for conducting approximately 90 percent of all personnel background\ninvestigations for the Federal Government. FISD currently contracts with three investigative\ncontractors: US Investigations Services, Inc. (USIS); CACI International, Inc. (CACI); and\nKroll Government Services (Kroll), hereafter referred to as the \xe2\x80\x9cContractors\xe2\x80\x9d, to assist with\ncompleting background investigations. In addition to the investigative contractors, FISD also\ncontracts with Goodwill Industries of Pittsburgh (Goodwill) for services which include the\ncollection of secured bins and observing the shredding of PII contained within the bins. Iron\nMountain is responsible for handling the bins and shredding the PII documentation.\n\nFISD is in the business of collecting information, much of it of a personal nature (including PII),\non Federal employees, contractors and military personnel. It is the responsibility of each\nemployee of FISD and its Contractors to ensure that all such information entrusted to them in the\ncourse of their duties be protected and secured against compromise.\n\nFISD defines PII as any information unique to an individual which, on its own or in aggregate\nwith other information, would tend to specifically identify that individual. PII includes:\n       \xe2\x80\xa2 Full Names (first and last)\n       \xe2\x80\xa2 Social Security Numbers\n\nOther personal data which, on its own, would not tend to identify any single individual is not\nconsidered PII, and does not require protection. This category of data includes:\n       \xe2\x80\xa2 Full or last names, standing alone\n       \xe2\x80\xa2 Dates of Birth\n       \xe2\x80\xa2 Places of Birth\n\nThese three types of data are only considered PII when they appear in conjunction with each\nother (e.g., SMITH, December 21st, 1972, Portland, Oregon) or when any single type appears in\nconjunction with a full name and /or a Social Security number (e.g., John David, April 30, 1966).\n                                                 1\n\x0cEach background investigative contract includes specific requirements for safeguarding\ninvestigative materials containing PII, which include the following:\n\n   \xe2\x80\xa2   Contractors are responsible for the security, integrity and appropriate authorized use of\n       their systems used for the transaction of all Government business;\n   \xe2\x80\xa2   Contractors shall provide acceptable secured capability/secure storage for all\n       investigative materials (case files, computers, etc.), which must be locked in a secured\n       area when not under the direct supervision of Contractor personnel;\n   \xe2\x80\xa2   Each field office location that will receive case papers or that will have supervisory or\n       clerical staff responsible for assigning and following up on OPM cases must have\n       dedicated computers and printers that are approved by OPM, prior to\n       implementation; and\n   \xe2\x80\xa2   Certain personnel performing work under the contracts must possess minimum\n       qualifications, and training that meets OPM requirements; however, all contract\n       personnel conducting work on the contract must be trained through the approved\n       Contractor training plan.\n\nOPM is responsible for protecting its information resources, including handwritten notes, case\npapers, copies of reports, and OPM-imaged hard drives, from loss, theft, misuse, destruction, and\nunauthorized access, disclosure, modification and duplication. Therefore, OPM created a\nSecurity and Privacy Policy, dated September 2007, that is applicable to OPM employees,\ncontractors, and all others who have access to OPM information resources, systems, networks,\ninformation and facilities.\n\nFISD has developed and issued various policies related to the protection of PII to its employees\nand Contractors. These policies include protocols and timeliness standards to follow in order to\nprotect PII while in an employee\'s possession or in transport; the storage of PII; and how to\nreport incidents involving the loss, theft, or abuse of PII.\n\nIn addition, there are training requirements that must be met by FISD employees and its\nContractors. OPM requires that new employees complete an Information Technology (IT)\nSecurity Awareness Training within 30 days of initial hiring. OPM also requires a mandatory\nannual IT Security Awareness Training for all OPM employees, contractors, and subcontractors.\n\nAll Contractors and FISD employees conducting background investigations must also be trained\non FISD\xe2\x80\x99s requirements for background investigations. Investigators initially receive classroom\ntraining prior to receiving their first case load as a background investigator. Required training\nwill be commensurate with prior experience. Within three months of the establishment of an\nInvestigative Contract, the Contractor shall provide FISD approved training to all investigative\npersonnel and reviewers identified in the contract proposal as being personnel they will assign to\nthe contract. FISD will assist Contractors in the development of their training by providing\nmaterials on the minimum coverage topics, which must include orientation on FISD investigative\nrequirements including controls over PII. The Contractor shall augment the training (i.e.,\nadditional classroom lessons, ride-alongs, mentoring, etc.) using the Contractor\xe2\x80\x99s existing staff to\nensure compliance with OPM\xe2\x80\x99s policies as outlined in the OPM FISD Investigator\xe2\x80\x99s Handbook\n\n\n\n\n                                                 2\n\x0cand appropriate Revision Notices. All training material may be supplemented by the Contractor;\nhowever, all such materials must be approved by FISD and are the property of FISD.\n\nNo previous audits of FISD\xe2\x80\x99s controls over PII have been performed.\n\nThe initial results of our audit were discussed with OPM officials during an exit conference. A\ndraft report was issued on December 16, 2008. FISD\xe2\x80\x99s response to the draft report was\nconsidered for this final report and is included as an Appendix.\n\n\n\n\n                                                3\n\x0c                II. OBJECTIVES, SCOPE, AND METHODOLOGY\nObjectives\n\nThe primary objective of our audit was to determine whether FISD has effectively implemented\ncontrols for the storage, security, and transmission of PII. Specifically, our objectives were to:\n\n   \xe2\x80\xa2   Determine whether FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 employees are adhering to the contract\n       terms, OPM and Federal policy, and internal policies regarding the controls over PII;\n   \xe2\x80\xa2   Determine whether all personnel have been adequately trained in the proper handling of\n       PII; and\n   \xe2\x80\xa2   Determine whether FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 employees are properly reporting incidents\n       of the loss or compromise of information containing PII.\n\nThe recommendations included in this final report address these objectives.\n\nScope and Methodology\n\nOur performance audit was conducted in accordance with generally accepted government\nauditing standards as established by the Comptroller General of the United States. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives.\n\nThe scope of our audit covered FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 current policies and procedures\ngoverning PII.\n\nWe performed this audit from March 25 through December 2, 2008 at FISD offices located in\nOPM headquarters in Washington, D.C. and Boyers, Pennsylvania. In addition, we visited\nContractors\xe2\x80\x99 sites located in Chantilly, Virginia; Boyers, Pennsylvania; and Loveland, Colorado.\n\nTo accomplish the audit objectives noted above, we:\n\n   \xe2\x80\xa2   Reviewed FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 policies regarding the storage, security, and\n       transmission of PII;\n   \xe2\x80\xa2   Reviewed FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 policies for training employees and contractors on the\n       protection of PII;\n   \xe2\x80\xa2   Reviewed FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 policies for reporting incidents including the loss or\n       compromise of PII;\n   \xe2\x80\xa2   Sampled and tested FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 training records and incident reports; and\n   \xe2\x80\xa2   Interviewed FISD\xe2\x80\x99s and Contractors\xe2\x80\x99 personnel.\n\nIn planning our work and gaining an understanding of the internal controls over the storage,\nsecurity, and transmission of PII, we considered the internal control structure to the extent\n\n\n\n                                                 4\n\x0cnecessary to develop our audit procedures. These procedures were mainly substantive in nature,\nalthough we did gain an understanding of management procedures and controls to the extent\nnecessary to achieve our audit objectives. The purpose of our audit was not to provide an opinion on\ninternal controls, but merely to evaluate controls over the processes that were included in the scope\nof our audit. Our audit included such tests of FISD\xe2\x80\x99s and the Contractors\xe2\x80\x99 records and other\nprocedures as we considered necessary under the circumstances. The results of our tests indicate\nthat, with respect to the items tested, FISD and the Contractors complied with their policies and\nprocedures and contract terms as they relate to PII, except for the areas set forth in the details of this\naudit report.\n\nIn conducting our audit, we tested FISD\xe2\x80\x99s and the Contractors\xe2\x80\x99 compliance with their policies and\nprocedures by selecting judgmental and random samples of training records, telework logs, incident\nreports, and closed cases. We tested a judgmental sample of 5 out of 32 CACI employees hired\nduring the month of December 2007; 5 out of 50 Kroll employees hired between October 1, 2006\nand September 30, 2007; and 5 out of 57 USIS employees hired between October 1, 2006 and\nSeptember 30, 2007 to determine if they completed OPM\xe2\x80\x99s Information Technology (IT) Security\nAwareness Training within 30 days of initial hiring.\n\nFor closed cases, we judgmentally selected 10 out of 28 cases that were closed by CACI as of\nApril 24, 2008; 10 out of 209 cases that were closed by Kroll on February 27, 2008; 10 out of an\nunknown number of cases that were closed by USIS as of February 29, 2008; and 10 out of 12,363\ncases that were closed by FISD investigators between February 1 and February 29, 2008. We\nrequested the case materials to determine if the notes were returned to and maintained at the\nrespective headquarters.\n\nWe judgmentally selected the 3 incidents reported by CACI; the 7 incidents reported by Kroll; and 5\nout of 13 USIS incidents that were reported between November 1, 2007 and April 18, 2008. We\nalso selected 2 out of 11 FISD incidents reported between November 1, 2007 and March 31, 2008\nrelated to the loss of PII to determine whether FISD and Contractor employees reported incidents in\naccordance with FISD\xe2\x80\x99s PII policies.\n\nIn addition, we randomly selected logs of the FISD employees who teleworked from Boyers,\nPennsylvania and Fort Meade, Maryland during the months of August and November 2007 to\ndetermine if employees were adhering to their groups\xe2\x80\x99 telework policies.\n\nThe results from the various samples were not projected to the population.\n\n\n\n\n                                                      5\n\x0c               III. AUDIT FINDINGS AND RECOMMENDATIONS\nOur audit disclosed that FISD and their Contractors have controls in place for computers and portable\ndevices that safeguard PII. We also noted that security inspections and risk assessments were conducted at\nFISD\xe2\x80\x99s and Contractors\xe2\x80\x99 facilities to evaluate and measure the effectiveness and efficiency of each facility\nthat handles, processes, and stores equipment, case materials, and other items as required by security\npolicies and standards. However, we also identified areas, described below, that require improvements due\nto the Contractors not following FISD requirements or policies and procedures, or due to FISD controls that\nwere inadequate or absent altogether.\n\nA.       Training\n\n     1. No Security Awareness Training for New Hires\n\n         CACI and Kroll did not provide OPM IT Security Awareness Training to new employees within\n         30 days of their initial hiring.\n\n         We judgmentally selected 5 out of 32 CACI employees hired during the month of December 2007;\n         5 out of 50 Kroll employees hired between October 1, 2006 and September 30, 2007; and 5 out of\n         57 USIS employees hired between October 1, 2006 and September 30, 2007 to determine if they\n         completed the IT Security Awareness Training within 30 days of initial hiring. The results of our\n         review disclosed that the CACI and Kroll employees did not complete the training, as required by\n         the FISD contract.\n\n         CACI and Kroll stated that they provide the OPM IT Security Awareness Training on an\n         annual basis when the OPM IT security staff provides them with the training materials. New\n         investigators receive IT Security Awareness Training in the New Investigator Training and\n         therefore they do not feel that it is necessary to provide a separate IT Security Awareness\n         Training for the new hires.\n\n         OPM\xe2\x80\x99s Information Security and Privacy Policy, dated September 2007, Section A.2.9.2, states\n         that \xe2\x80\x9cAll OPM employees and contractors accessing OPM information resources will attend\n         information security and privacy awareness training before being granted access to OPM\n         information resources.\xe2\x80\x9d\n\n         The FISD contract states that \xe2\x80\x9cOPM information technology [IT] security staff will approve the\n         training materials and follow up with contractor to ensure timely completion. OPM will require a\n         memorandum that initial IT Security Awareness Training has been completed within thirty (30)\n         days of initial hiring of a new employee. Subsequently, the contractor shall provide, on an annual\n         basis (on the anniversary date of the award of the contract), a memorandum indicating that\n         refresher IT Security Awareness training has been completed.\xe2\x80\x9d\n\n         As a result of not providing new employees with OPM\xe2\x80\x99s IT Security Awareness Training, there is\n         an increased risk that new employees will not be aware of their responsibilities in\n\n\n\n\n                                                     6\n\x0cdealing with PII and sensitive information, etc., and information that is accessed through OPM\xe2\x80\x99s\nsystems may be compromised.\n\nRecommendation 1\n\nWe recommend that FISD require CACI and Kroll to provide the OPM IT Security Awareness\nTraining to all of their new employees within 30 days of their initial hire date, and document\ncompletion of this training by issuing a memorandum to OPM, as required by their contract.\n\nFISD\xe2\x80\x99s Response:\n\nFISD concurs with this recommendation and stated that Kroll and CACI are submitting monthly\nreports that identify new hires and separations. These reports include clarification that the new\nhires have received security awareness training within 30 days of hire indicated either by a\ncheckmark or overall statement on the reports.\n\nOIG Comment:\n\nFISD provided copies of management reports and training completion certificates for Kroll\nemployees. We selected a sample of 2 Kroll employees from the reports provided and verified that\nthe employees completed training within 30 days of their hire date. In addition, FISD provided\nmanagement reports and training certificates for CACI employees. We selected a sample of 4\nCACI employees from the reports and determined that all employees completed the training within\n30 days of their hire date with the exception of one who completed the training four months\nafter their hire date. Based on our analysis of the information provided, we have determined that\nOPM has taken appropriate action to address this recommendation and we consider the\nrecommendation closed.\n\nRecommendation 2\n\nWe recommend that FISD require CACI and Kroll to provide monthly management reports that\nlist the names of new employees that have been hired during that period. FISD should utilize these\nreports, along with the training completion memoranda provided by CACI and Kroll, to ensure that\nnew employees and sub-contractors are being trained prior to being granted access to OPM\nsystems, as required by OPM\xe2\x80\x99s Information Security and Privacy Policy.\n\nFISD\xe2\x80\x99s Response:\n\nFISD concurs with this recommendation and stated that effective February 1, 2009 all contractors\nwill be required to submit monthly management reports identifying all new hires that have\ncompleted security awareness training and completion certificates to the contractor\xe2\x80\x99s respective\noversight teams. The list of new hires will be reconciled against the certificates received to\nconfirm compliance with the training requirement.\n\n\n\n\n                                            7\n\x0c     OIG Comment:\n\n     We reviewed management reports identifying new hires and training completion certificates;\n     however, we were not provided with evidence that FISD is reconciling the reports against the\n     training completion certificates.\n\n2.   No PII Training for Contractors\n\n     FISD did not require Goodwill employees to be trained on the collection of bins containing\n     documentation to be shredded, observation of the shredding process, and safeguarding of PII. In\n     addition, we could not determine whether Iron Mountain (IM) employees, responsible for handling\n     the bins, have received appropriate training.\n\n     On a daily basis, the full bins, which are located throughout FISD headquarters, are moved to and\n     stored in the Goodwill area until they are transported to the IM facility where the documents\n     containing PII will be shredded. IM is responsible for retrieving the full bins from the Goodwill\n     area and transporting them to its facility. During transport, Goodwill employees ensure that the IM\n     truck and the bins are not compromised. Upon arrival at the IM facility, IM employees unload the\n     bins from the truck; unlock the bins; and empty the bins, which contain documents including PII,\n     for shredding. IM employees shred the documentation and return the empty bins to the Goodwill\n     area at FISD headquarters. Goodwill employees supervise the unloading and shredding of the PII\n     materials at the IM facility.\n\n     Goodwill is also responsible for ensuring that its employees receive training related to the\n     collecting, transporting, and storing of the bins and for observing the shredding of PII. FISD does\n     not have controls in place to ensure that its contractors are appropriately training employees on the\n     collection and observation of the shredding process, including the handling of PII.\n\n     OPM\xe2\x80\x99s contract with Goodwill Industries of Pittsburgh, Section 2.10.4, Shredding Container\n     Collection, states that the \xe2\x80\x9cContractor shall ensure that employees responsible for shredding\n     container collection have had the appropriate training.\xe2\x80\x9d Appropriate training would include\n     Goodwill\xe2\x80\x99s responsibilities for the collection of bins and the observation of the shredding process\n     and all PII related responsibilities.\n\n     Not training all personnel involved with the container collection and shredding process may lead to\n     the compromise, loss, and/or theft of PII.\n\n     Recommendation 3\n\n     We recommend that FISD implement internal control procedures to ensure that Goodwill and IM\n     provide training to employees for the collection, transportation, and destruction of documents,\n     including PII. Internal controls should include a requirement for contractors to provide\n     documentation to FISD to support the completion of training.\n\n\n\n\n                                                  8\n\x0c          FISD\xe2\x80\x99s Response:\n\n          FISD concurs with this recommendation and stated that all affected employees completed training\n          by January 21, 2009.\n\n          OIG Comment:\n\n          FISD provided training materials, training sign-in sheets, and listings of Goodwill and Iron\n          Mountain employees. We reviewed this documentation and verified that current Goodwill\n          and Iron Mountain employees completed PII training. However, FISD did not provide\n          documentation (i.e., internal control procedures) to ensure that all new hires after January 21,\n          2009 will be trained on the security of PII and the container collection and shredding\n          processes.\n\n\nB.        Incident Reporting\n\n     1.   Lack of Controls for Contractor Incident Reporting\n\n          The Contractors did not report the loss of PII in accordance with FISD\xe2\x80\x99s \xe2\x80\x9cLoss or Compromise of\n          Personally Identifiable Information\xe2\x80\x9d policy.\n\n          We judgmentally selected incidents related to the loss of PII that were reported to OPM\xe2\x80\x99s Situation\n          Room between November 1, 2007 and April 18, 2008. We selected the 3 incidents reported by\n          CACI; the 7 incidents reported by Kroll; and 5 out of 13 USIS incidents for review. We reviewed\n          the incident files to determine whether the Contractors handled PII and reported incidents in\n          accordance with FISD\xe2\x80\x99s policies and procedures.\n\n          FISD\xe2\x80\x99s policy for the \xe2\x80\x9cLoss or Compromise of Personally Identifiable Information\xe2\x80\x9d, effective\n          November 19, 2007, states that when an incident is detected the following parties must be notified\n          within 30 minutes, regardless of the time of day:\n\n                 \xe2\x80\xa2   local police department if the information is lost due to a theft;\n                 \xe2\x80\xa2   OPM\xe2\x80\x99s Situation Room; and\n                 \xe2\x80\xa2   immediate Supervisor/Designee.\n\n          In addition, the FISD policy states that the supervisor or designee must perform the following steps\n          when notified of an incident:\n\n                 \xe2\x80\xa2   Immediately send an email, with all details known thus far, to the employee\xe2\x80\x99s second\n                     level supervisor and the FISD Incident Response Team, and\n                 \xe2\x80\xa2   Within four hours of notification, working with the employee, the supervisor or\n                     designee must prepare an incident report, document the timeline of events, and prepare\n                     an inventory of the case material potentially compromised. These documents must be\n                     sent to the second level supervisor and the FISD Incident Response Team.\n\n\n                                                       9\n\x0cThe Contractors\xe2\x80\x99 controls are not effective to ensure that incidents are being reported properly and\ntimely, in accordance with PII policies. Specifically, we found that:\n\n       \xe2\x80\xa2   Six incidents were not reported to the OPM Situation Room within 30 minutes of the\n           incident being discovered;\n       \xe2\x80\xa2   Five incidents were not reported to the supervisor/designee within 30 minutes of the\n           incident being discovered;\n       \xe2\x80\xa2   FISD\xe2\x80\x99s Incident Response Team was not immediately notified of three incidents; and\n       \xe2\x80\xa2   Four incident reports were not issued to FISD within four hours.\n\nIn addition, there was a lack of documentation to determine whether:\n\n       \xe2\x80\xa2   The OPM Situation Room was notified of one incident within 30 minutes after\n           detection of the potential loss of PII;\n       \xe2\x80\xa2   The supervisor/designee was notified of three incidents within 30 minutes after\n           detection of the potential loss of PII;\n       \xe2\x80\xa2   The employee\xe2\x80\x99s second level supervisor and the FISD Incident Response Team were\n           immediately notified of three incidents; and\n       \xe2\x80\xa2   Incident reports, documenting the timeline of events, and an inventory of the case\n           materials potentially compromised, was prepared within four hours of notification of\n           four incidents.\n\nDetails for each incident were provided to FISD separate from this report.\n\nIf incidents of the loss of PII are not reported in accordance with FISD\xe2\x80\x99s policies, there is an\nincreased risk that PII will be compromised.\n\nRecommendation 4\n\nWe recommend that FISD ensure that its Contractors strengthen their controls over incident\nreporting to ensure that incidents are reported in accordance with FISD\xe2\x80\x99s \xe2\x80\x9cLoss or Compromise of\nPersonally Identifiable Information\xe2\x80\x9d policy.\n\nFISD\xe2\x80\x99s Response:\n\nFISD stated that documentation is available to support the two Kroll cases where FISD indicated\nthat the Incident Response Team had been immediately notified and the reports were prepared\nwithin four hours. In addition, they state, \xe2\x80\x9cWe do not disagree with the finding associated with the\nremaining two and FISD is in the process of re-writing its PII Policy to enhance this process which\nshould be issued to all Federal and Contractor staff in March 2009.\xe2\x80\x9d\n\nOIG Comment:\n\nWe reviewed documentation (i.e., incident report forms, email notifications, etc.) that FISD\nprovided; however, the documentation was not sufficient to show that the Kroll\nSupervisor/Security Officer was immediately notified of the two incidents. The incident\n\n\n                                             10\n\x0c     reports/forms, email notifications, etc., did not document the time the incident was discovered by\n     the investigator for one of the two Kroll incidents. As a result, we could not determine whether the\n     OPM Situation Room was notified within 30 minutes of the investigator\xe2\x80\x99s discovery of the PII\n     incident.\n\n2.   Lack of Controls for FISD Incident Reporting\n\n     FISD\xe2\x80\x99s controls for reporting the loss or compromise of PII do not ensure that incidents are\n     reported timely, in accordance with their \xe2\x80\x9cLoss or Compromise of Personally Identifiable\n     Information\xe2\x80\x9d policy.\n\n     We judgmentally selected 2 out of 11 incidents related to the loss of PII that were reported by\n     FISD to OPM\xe2\x80\x99s Situation Room between November 1, 2007 and March 31, 2008. We reviewed\n     the incident files to determine whether FISD handled PII and reported incidents in accordance with\n     FISD\xe2\x80\x99s policies and procedures.\n\n     At the time of our audit, FISD did not have a standardized reporting format to ensure that the\n     protocols of their \xe2\x80\x9cLoss or Compromise of Personally Identifiable Information\xe2\x80\x9d policy are\n     documented and completed in a timely manner.\n\n     Specifically, we found that neither of the two incidents reviewed were reported by FISD\n     employees to the OPM Situation Room within 30 minutes of discovery. In addition, one incident\n     was not immediately reported by the Supervisor/Designee to the FISD Incident Response Team\n     nor was the incident report sent to the FISD Incident Response Team within four hours of\n     discovery, as required by the policies. Details of the incidents were provided to FISD separate\n     from this report.\n\n     FISD\xe2\x80\x99s policy for the \xe2\x80\x9cLoss or Compromise of Personally Identifiable Information\xe2\x80\x9d, effective\n     November 19, 2007, states that when an incident is detected by a FISD employee the following\n     parties must be notified within 30 minutes, regardless of the time of day:\n\n            \xe2\x80\xa2   local police department if the information is lost due to a theft;\n            \xe2\x80\xa2   OPM\xe2\x80\x99s Situation Room; and\n            \xe2\x80\xa2   immediate Supervisor/Designee.\n\n     In addition, FISD\xe2\x80\x99s policy states that the Supervisor/Designee must perform the following\n     protocols when notified of an incident:\n\n            \xe2\x80\xa2   Immediately send an email, with all details known thus far, to the FISD Incident\n                Response Team, and\n            \xe2\x80\xa2   Within four hours of notification, working with the employee, the Supervisor/Designee\n                must prepare an incident report, document the timeline of events, and prepare an\n                inventory of the case material potentially compromised. These documents must be sent\n                to the second level supervisor and the FISD Incident Response Team.\n\n\n\n\n                                                  11\n\x0c          If incidents are not reported timely, there is a delay in notifying the affected individuals of the\n          situation and the options available to protect their identities from the possibility of theft.\n\n          Recommendation 5\n\n          We recommend that FISD establish a standardized reporting format to ensure that incidents are\n          documented and reported to the appropriate parties within the timeliness standards outlined in their\n          \xe2\x80\x9cLoss or Compromise of Personally Identifiable Information\xe2\x80\x9d policy.\n\n          FISD\xe2\x80\x99s Response:\n\n          FISD stated that \xe2\x80\x9cA standard format was established and issued to all FISD personnel\xe2\x80\xa6.The form\n          will be modified to specifically include Supervisor/Designee responsibilities to ensure that\n          timeliness requirements are met. Anticipated completion date is February 28, 2009.\xe2\x80\x9d\n\n\nC.        Investigative Case Notes\n\n     1.   Lack of Controls for the Timely Return of Investigative Case Notes\n\n          CACI and Kroll do not have controls in place to ensure that investigative case notes are returned to\n          headquarters within two weeks, as required by their contract with FISD. Details regarding the case\n          notes were provided to FISD separate from this report.\n\n          We judgmentally selected 10 out of 28 cases that were closed by CACI as of April 24, 2008; 10\n          out of 209 cases that were closed by Kroll on February 27, 2008; and 10 out of an unknown\n          number of cases that were closed by USIS as of February 29, 2008. We reviewed these case\n          materials to determine if the related case notes were maintained at the Contractors\xe2\x80\x99 headquarters\n          and were returned within two weeks of the completion of each case.\n\n          Upon completion of a background investigation (case), investigators transmit the closed case to\n          FISD via the Personnel Investigations Processing System (PIPS). All case notes and\n          documentation related to the closed case must be returned to their appropriate headquarters within\n          two weeks after an investigation is completed. Both CACI and Kroll have methods of tracking\n          cases when they are initially sent to investigators and when the case materials are returned to\n          headquarters. For instance, CACI uses a log to track when cases are sent to investigators, when\n          the closed cases are transmitted to FISD in PIPS, and the date that case notes are received by\n          headquarters. Kroll uses a PIPS report to show when closed cases are transmitted to FISD. Kroll\n          also documents the receipt of case notes at headquarters in Microsoft Access.\n\n          Even though CACI and Kroll have methods of documenting when case notes are received by their\n          headquarters, they are not tracking the number of days between the date the cases are transmitted\n          in PIPS and the date the case notes are received at their respective headquarters. In addition, they\n          do not have written policies and procedures in place that require the investigators to return case\n          notes within the two weeks after an investigation is transmitted to FISD in PIPS.\n\n\n\n\n                                                        12\n\x0c   FISD\xe2\x80\x99s contract with CACI and Kroll states that \xe2\x80\x9cWithin two weeks of a completed investigation,\n   the Contractor shall be in possession of all investigator and investigative technician notes, case\n   material sent to investigators and investigative technicians and all other investigative materials. \xe2\x80\xa6\n   The material retained by the Contractor shall be located at the Contractor\xe2\x80\x99s Program Management\n   Office (PMO).\xe2\x80\x9d\n\n   If case notes are not returned within two weeks, as required by the FISD contract, there is an\n   increased risk that PII may be compromised, lost, or stolen.\n\n   Recommendation 6\n\n   We recommend that FISD require CACI and Kroll to implement controls to ensure that the\n   investigative case notes are returned to the Contractor\xe2\x80\x99s PMO within two weeks of a completed\n   investigation, as required by the FISD Contract.\n\n   FISD\xe2\x80\x99s Response:\n\n   FISD concurs with this recommendation and stated that \xe2\x80\x9cInspections will be completed beginning\n   in the 2nd Quarter of FY09 to review Contractor note collection procedures and to determine if the\n   documented procedures are being followed.\xe2\x80\x9d\n\n2. Lack of Controls over the Return of Investigative Case Notes\n\n   We judgmentally selected 10 out of 12,363 cases that were closed by FISD investigators between\n   February 1 and February 29, 2008. We requested the case notes to determine if the notes were\n   returned to and maintained at FISD headquarters.\n\n   We concluded that FISD could not provide the case notes related to one case because the notes\n   were destroyed prior to the three year retention period. We also noted that FISD does not have\n   controls (i.e., a reconciliation process) in place to ensure that all case materials are returned once a\n   case is closed in PIPS. FISD stated that the case notes related to the one case in our sample were\n   destroyed prior to the three year retention period because the retention policy was not clearly\n   understood by its employee(s).\n\n   Upon completion of a background investigation, the investigator will close the case in PIPS.\n   Investigative case notes related to the closed cases are manifested by the FISD field offices, boxed\n   up, and shipped to FISD headquarters. A tracking number is assigned to each box containing\n   closed case materials. The tracking numbers and manifests are transmitted to FISD headquarters,\n   where the tracking numbers are compiled into a list and verified against the boxes that are received\n   by FISD headquarters for the week to ensure that all notes that were manifested are accounted for.\n   Once all tracking numbers have been verified as received, the list of tracking numbers is discarded.\n   The case notes that are returned to FISD headquarters are maintained for a period of three years\n   before they are destroyed.\n\n   FISD\xe2\x80\x99s policy issued on February 22, 2008 states that all original case notes must be maintained\n   for a period of three years after the case is closed.\n\n\n\n                                                 13\n\x0cThe Office of Management and Budget (OMB) Circular A-123 states that procedures may vary;\nhowever, there should be a clear, organized strategy with a well-defined documentation process\nthat is auditable, verifiable, and defines a specific documentation retention period.\n\nOMB Circular A-123 also requires the development and maintenance of internal control activities\nthat comply with standards such as control environment, risk assessment, and monitoring.\n\nWithout specific guidance for tracking, returning, and maintaining case notes, there is an increased\nrisk that PII will be compromised, lost, or stolen.\n\nRecommendation 7\n\nWe recommend that FISD ensure that its employees have a clear understanding of the destruction\npolicy related to case notes and case materials, as required by OMB A-123.\n\nFISD\xe2\x80\x99s Response:\n\nFISD stated, \xe2\x80\x9cOnce we were informed of the need to maintain these for three years we put into\nprocedures to maintain them and currently have procedures in place to return these case notes to\nBoyers for the three year retention.\n\nFISD is working with records retention specialists at [the General Accountability Office] GAO and\n[National Archives and Records Administration] NARA to get the language changed to allow\nretention for 30 days versus three years\xe2\x80\xa6. once this policy issue is resolved, reinforcing the\nrules throughout FISD would be a useful initiative so our plan is to include this topic in the annual\nPII training that all FISD staff will be receiving later this year.\xe2\x80\x9d\n\nOIG Comment:\n\nWe reviewed FISD\xe2\x80\x99s \xe2\x80\x9cOPM Record Retention Transport Guidelines,\xe2\x80\x9d which supports that FISD\nhas implemented procedures to retain records such as handwritten investigative case notes, case\npapers, and releases with original signatures for three years, in accordance with FISD\xe2\x80\x99s retention\npolicy. Thus, OPM has taken appropriate action to address this recommendation and we consider\nthe recommendation closed.\n\nRecommendation 8\n\nWe recommend that FISD implement internal controls for monitoring the return of case notes for\ninvestigations closed in PIPS, in compliance with OMB A-123.\n\nFISD\xe2\x80\x99s Response:\n\nFISD stated that its \xe2\x80\x9cpolicy has been changed to require all case notes to be returned to Boyers for\nstorage for the three year retention period\xe2\x80\xa6. FISD staff regularly conducts spot checks to ensure\nthat case notes are being returned for closed cases.\xe2\x80\x9d\n\n\n\n\n                                            14\n\x0c          OIG Comment:\n\n          We reviewed FISD\xe2\x80\x99s \xe2\x80\x9cPII Accountability\xe2\x80\x9d Memo and determined that these procedures address the\n          manifesting of case notes that are shipped between the field agents and field offices. However, the\n          memo does not address procedures and/or controls to support that FISD has a process in place for\n          monitoring the return of case notes for investigations closed in PIPS. For example, if an\n          investigator closed 20 cases in PIPS during the week, there should be a process in place for the\n          Special Agent-in-Charge or Supervisor to ensure they receive the case notes for those 20 closed\n          cases. There should be some type of reconciliation between the cases closed in PIPS and the case\n          notes they receive. In addition, FISD did not provide documentation to show that spot checks for\n          case notes are being conducted.\n\n\nD.        Telework\n\n     1.   Lack of Controls for the Handling of PII While Employees Telework\n\n          FISD does not have an adequate method of tracking the removal and return of background cases\n          and related case materials while employees telework.\n\n          Prior to November 19, 2007, FISD permitted its employees to participate in a Flexi-\n          Place/Telework program, which included the removal of PII. The employees who participated in\n          this program were required to sign Flexi-Place/Telework agreements prior to removing work from\n          FISD facilities. They were also responsible for safeguarding government records from\n          unauthorized disclosure or damage and returning cases and case-related materials the next\n          scheduled work day or upon completion of the assignment based on an agreement with the\n          supervisor. FISD suspended its Flexi-Place/Telework program on November 19, 2007.\n\n          We randomly selected logs of the employees who teleworked from Boyers, Pennsylvania and Fort\n          Meade, Maryland during the months of August and November 2007. We reviewed the telework\n          documentation to determine if employees were adhering to their groups\xe2\x80\x99 telework policies. Based\n          on our review of FISD groups\xe2\x80\x99 policies and procedures for logging PII in and out for telework, we\n          determined that the following items were not consistently evident in the files we reviewed:\n\n                 \xe2\x80\xa2   supervisory approval for removal of cases/case materials;\n                 \xe2\x80\xa2   supervisory confirmation that the information removed was returned; and\n                 \xe2\x80\xa2   a list of all case-related information that was removed or returned to the employee\xe2\x80\x99s\n                     workplace.\n\n          In addition, we found that some offices within FISD did not maintain a log for the employees that\n          removed PII while teleworking.\n\n          The Suitability Adjudication, Contract Adjudication Branch, and Case Management Group\xe2\x80\x99s\n          policies and procedures state that cases and case materials must be documented in a log. In\n          addition, the log should document the employee\xe2\x80\x99s initials to show receipt that they are in\n          possession of the documentation prior to leaving the FISD facility; supervisory approval; and\n\n\n                                                     15\n\x0cacknowledgement by the supervisor that the cases and case-related materials were returned upon\ncompletion of the assignment.\n\nThe Office of Management and Budget (OMB) Circular A-123 states that procedures may vary;\nhowever, there should be a clear, organized strategy with a well-defined documentation process\nthat is auditable, verifiable, and defines a specific documentation retention period.\n\nOMB Circular A-123 also requires the development and maintenance of internal control activities\nthat comply with standards such as control environment, risk assessment, and monitoring.\n\nOPM\xe2\x80\x99s telework guide for the federal government states that managers are responsible for tracking\nthe removal and return of potentially sensitive materials, such as personnel records and case\nmaterials. This would include the removal of PII.\n\nThe lack of a FISD-wide telework policy to monitor the whereabouts of cases and case-related\nmaterials increases the risk of the loss, theft, or compromise of PII.\n\nRecommendation 9\n\nWe recommend that FISD develop internal controls to effectively monitor and document the\nremoval and return of PII for telework.\n\nFISD\xe2\x80\x99s Response:\n\nFISD concurs with this recommendation and stated, in reference to the suspension of telework\nand/or flexi-place for all FISD employees or contractors, that \xe2\x80\x9cIn the event that this suspension is\never lifted, FISD will develop and put in place appropriate internal controls to ensure 100%\naccountability of any material removed from a FISD facility.\xe2\x80\x9d\n\nOIG Comment:\n\nFISD\xe2\x80\x99s response suggests that internal controls will be developed after the suspension is lifted;\nhowever, our position is that the internal controls should be in place before the suspension can be\nlifted.\n\n\n\n\n                                            16\n\x0c          IV.    MAJOR CONTRIBUTORS TO THIS REPORT\n\nInternal Audits Group\n\n                Auditor\n                   Lead Auditor\n                    , Senior Team Leader\n                    Chief\n________________________________________________________________________\n\n\n\n\n                                             17\n\x0c                                                                                                                       APPENDIX \n\n\n\n                          UNlTED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                      Washington, DC 20415                  2009 JAN 30 PM 2: 59\nFederal Investigative\n Services Division\n                                                                                                            January 30, 2009\n\n\n          MEMORANDUM FOR\n\n\n\n          FROM:                       KATHY L.\n                            ~ Associate Director\n                                                     DILLAMA~\n                                                             L\xc2\xad\n                                      Chief, Internal Audits Group\n                                      Office of the Inspector G.ene.ral\n\n\n\n                                  I   Federal Investigative S\n                                                                      ,         ..\n                                                                      Ices Division\n\n          SUBJECT: \t                  Draft Report on the Audit of the Security of Personally Identifiable\n                                      Infonnation in the FederaUnvestigative Services Division of the u.S.\n                                      Office of Personnel Management (Report No. 4A-IS-OO-08-014)\n\n          Summary of OPM Position\n\n          We have reviewed your draft audit report on the Security of Personally Identifiable Infonnation\n          (PH) in the Federal Investigative Services Division (FISD) of the U.S. Office of Personnel\n          Management (Report No. 4A-IS-00-08-014) and are in agreement with many of the findings and\n          recommendations identified in the report. We recognize that even the most well run programs\n          can benefit from an external evaluation and we appreciate the input of the Office of the Inspector\n          General as we continue to work to enhance our security measures for protecting PII. Specific\n          responses\'to your recommendations are provided below.\n\n          Respnnse to Recommendations\n\n          FINDING # AI: No Security Awareness Training for New Hires\n\n          CAel and Kroll do not provide OPM IT Security Awareness Training to new employees within\n          30 days oftheir initial hiring.\n\n          We judgmentally selected 5 oul of 32 CAel employees hired during the month ofDecember\n          2007; 5 out of50 Kroll employees hired between October 1,2006 and September 30,2007; and\n          5 out of 56 lJSIS employees hired between October 1, 2006 and September 30, 2007 to determine\n          if/hey completed the IT Security Awareness Training within 30 days ofinitial hiring.\n\n          The results ofour review disclosed that the CACI and Kroll employees did not complete the\n          training, as required by the FISD contract.\n\n          CAe] and Kroll stated that they provide the OPM IT Security Awareness Training on an annual\n          basis when the OPM ]T security staffprovides them with the training materials. New\n\n\n\n\n          WlYw.opm.goY    Our mission is to ensure the Federal Government has an effective civilian workforce   www.usajobs.go~\n\x0cinvestigators receive IT Security Awareness Training in the New Investigator Training and\ntherefore, they do notfeel that it is necessary to provide a separate IT Security Awareness\nTrainingfor the new hires.\n\n OPM\'s Information Security and Privacy Policy, dated September 2007, Section A. 2. 9.2, states\n that "All OPM employees and contractors accessing OPM information resources will attend\n\xc2\xb7information security and privacy awareness training before being granted access to OPM\n information resources. ..\n\nThe FISD contract states that "OPM information technology [IT} security staffwill approve the\ntraining materials andfollow up with contractor\'s to ensure timely completion aPM will\nrequire a memorandum that initial IT Security Awareness Training has been completed within\nthirty (30) days ofinitial hiring ofa new employee. Subsequently, the contractor shall provide,\non an annual basis (on the anniversary date ofthe award ofthe contract), a memorandum\nindicating that refresher IT Security Awareness training has been completed. ..\n\nAs a result ofnot providing new employees with OPM\'s IT Security Awareness Training. there is\nan increased risk that new employees will not be aware oftheir responsibilities in dealing with\nPII and sensitive information, etc. and information that is accessed through OPM\'s systems may\nbe compromised.\n\nRECOMMENDATION 1: We recommend that FISD require CAeI and Kroll to provide the\nOPM IT Security Awareness Training to all of their new employees within 30 days of their\ninitial hire date, and document completion of this training by issuing a memorandum to OPM, as\nrequired by their contract.\n\nMANAGEMENT RESPONSE: CONCURRENCE. Kroll and CAeI are submitting monthly\nreports to                                      identify new hires and separations. The Field\nInvestigations Oversight Branch (FIOB) is copied on these reports. These reports include\nclarification that the new hires have received security awareness training within 30 days of hire\nindicated either by a checkmark or an overall statement within the report. Samples ofthese\nreports as well as completion certificates were provided previously to the audit team.\n\nRECOMMENDATION 2:\n\nWe recommend that FISD require CAeI and Kroll to provide monthly management reports that\nlist the names of new employees that have been hired during that period. FISD should utilize\nthese reports, along with the training completion memoranda provided by CACI and Kroll, to\nensure that new employees and sub-contractors are being trained prior to being granted access to\nOPM systems, as required by OPM\'s Information Security and Privacy Policy_\n\nMANAGEMENT RESPONSE: CONCURRENCE. Effective February 1,2009, FISD will\nrequire all contractors to include the respective oversight team on the monthly submission\nidentifying all new hires that have completed security awareness training. Each oversight team\nwill receive the list that shows completion of the training has occurred within the first 30 days of\nhire. Electronic copies of the certificates that are issued after the course completion will also be\n                                                  2\n\x0crequired. The list of new hires will be reconciled against the certificates received to confirm\n100% compliance with the required training.\n\nFINDING A2: No Security Awareness Training for New Hires\n\nFISD did not require Goodwill employees to be trained on the collection ofbins, observation of\nthe shredding process, and safeguarding of Pll In addition, we could not determine whether\nIron Mountain (1M) employees, responsible for handling the bins, have received appropriate\ntraining.\n\n On a daily basis, the full bins, which are located throughout FISD headquarters, are moved to\n and stored in the Goodwill area until they are transported to the Iron Mountain (1M) facility\n where the documents containing PIl wil/.be shredded 1M is responsible for retrieving the full\n bins from the Goodwill area and transporting them 10 its facility. During transport, Goodwill\n employees ensure that the 1M truck and the bins are not compromised. Upon arrival at the 1M\nfacility, 1M employees unload the bins from the truck; unlock the bins; and empty the bins, which\n contain documents including PI!, for shredding. 1M employees shred the documentation and\n return the empty bins to the Goodwill area at FISD headquarters. Goodwill employees\nsupervise the unloading and shredding ofthe PII materials at Ihe IMfacility.\n\nGoodwill is also responsible for ensuring that its employees receive training related to the\ncollecting, transporting, and storing ofthe bins andfor observing the shredding ofPII FISD\ndoes not have controls in place to ensure that its contractors are appropriately training\nemployees on the collection and observation ofthe shredding process, including the handling of\nPII.\n\nOPM\'s contract with Goodwill Industries ofPittsburgh, Section 2.10.4, Shredding Container\nCollection, states that the "Contractor shall ensure that employees responsible for shredding\ncontainer collection have had the appropriate training. " Appropriate training would include\nGoqdwil/ \'s responsibilities for the collection ofbins and the observation ofthe shredding\nprocess and all PII related responsibilities, as instructed by the Director o/OPM\n\nBy not training all personnel involved with the container collection and shredding process may\nlead to the compromise, loss, and/or theft ofPI/.\n\nRECOMMENDATION 3:\n\nWe recommend that FISD implement internal control procedures to ensure that Goodwill and 1M\nprovide training to employees for the collection, transportation, and destruction of documents,\nincluding PII. Internal controls should include a requirement for contractors to provide\ndocumentation to FISD to support the completion of training.\n\nMANAGEMENT RESPONSE: CONCURRENCE. The FISD Security and Safety Team\nthat has been working with Iron Mountain to complete the training and all affected employees\ncompleted training by January 21,2009. The Federal presence that has been in place until the\ntraining is complete ceased as of that date.\n                                             3\n\x0cFINDING 81: Lack of Controls for Contractor Incident Reporting\n\nThe Contractors did not report the loss ofP II in accordance with FISD\'s "Loss or Compromise\nofPersonally Identifiable Information" policy.\n\n We judgmentally selected incidents related to the loss ofPII that were reported to OPM\'s\nSituation Room between November I, 2007 and AprillB, 200B. We selected the three incidents\nreported by CAeI; the seven incidents reported by Kroll; andjive out ofthirteen USIS incidents\nfor review. We reviewed the incident files to determine whether the Contractors handled PIland\nreported incidents in accordance with FISD \'s policies and procedures.\n\nThe Contractors\' controls are not effective to ensure that incidents are being reported properly\nand timely, in accordance with PII policies. Specifically, we found that:\n\n           \xe2\x80\xa2 \t Six incidents were not reported to the OPM Situation Room within 30 minutes of\n               the incident being discovered;\n           \xe2\x80\xa2 \t Five incidents were not reported to the supervisor/designee within 30 minutes of\n               the incident being discovered;\n           \xe2\x80\xa2 \t FISD\'s Incident Response Team was not immediately notified ofthree incidents;\n               and\n           \xe2\x80\xa2 \t Four incident reports were nOl issued to FISD withinfour hours.\n\nIn addition, there was a lack ofdocumentation to determine whether:\n\n           \xe2\x80\xa2 \t The OPM Situation Room was notified ofone incident within 30 minutes after\n                detection ofthe potential loss ofPII;\n           \xe2\x80\xa2\t   The supervisor/designee was notified ofthree incidents within 30 minutes after\n                detection ofthe potential loss ofPII;\n           \xe2\x80\xa2\t   The employee\'s second level supervisor and the FISD Incident Response Team\n                were immediately notified offour incidents; and\n           \xe2\x80\xa2\t   Incident reports, documenting the timeline ofevents, and an inventory ofthe case\n                materials potentially compromised, was prepared within four hours ofnotification\n                ofsix incidents.\n\nDetails for each incident were provided to FISD separate from this report.\n\nFISD \'s policyfor the "Loss or Compromise ofPersonally Identifiable Information ", effective\nNovember 19, 2007, states that when an incident is detected the following parties must be\nnotified within 30 minutes, regardless ofthe time ofday:\n\n           \xe2\x80\xa2 \t local police department if the information is lost due to a theft;\n           \xe2\x80\xa2 \t OPM\'s Situation Room; and\n           \xe2\x80\xa2 \t immediate Supervisor/Designee.\nIn addition, the FISD policy states that the supervisor or designee must perform the following\nsteps when notified ofan incident:\n                                               4\n\x0c           \xe2\x80\xa2 \t Immediately send an email, with all details known thus far, to the employee\'s\n               second level supervisor and the FISD Incident Response Team and\n           \xe2\x80\xa2 \t Withinfour hours o/notification, working with the employee, the supervisor or\n               designee must prepare an incident report, document the time line ofevents, and\n               prepare an inventory ofthe case material potentially compromised. These\n               documents must be sent to the second level supervisor and the FISD Incident\n               Response Team.\n\nIf incidents ofthe loss ofPII are not reported in accordance with FISD \'s policies, there is an\nincreased risk that PII will be compromised.\n\nRECOMMENDATION 4:\n\nWe recommend that FISD ensure that its Contractors strengthen their controls over incident\'\nreporting to ensure that incidents are reported in accordance with FISD\'s "Loss or Compromise\nof Personally Identifiable Information" policy.\n\nMANAGEMENT RESPONSE: PARTIAL CONCURRENCE. FISD was able to locate the\nnecessary documentation to support the conclusion that the two Kroll cases identified where\nFISD indicated that the Incident Response team had been immediately notified and that reports\nwere prepared within 4 hours. These documents are available for review by the Audit Team.\nWe do not disagree with the finding associated with the remaining two and FISD is in the\nprocess of re-writing its PH Policy to\xc2\xb7 enhance this process which should be issued to all Federal\nand Contractor staff in March 2009.\n\nFINDING B2: Lack of Controls for FISD Incident Reporting\n\nFISD\'s controls for reporting the loss or compromise ofPII do not ensure that incidents are\nreport\'ed timely, in accordance with their Loss or Compromise ofPII policy.\n\nWe judgmentally selected 2 out of11 incidents related to the loss ofPll that were reported by\nFISD to OPM\'s Situation Room between November 1,2007 and March 31,2008. We reviewed\nthe incident files to determine whether FISD handled Pll and reported incidents in accordance\nwith FISD \'s policies and procedures.\n\n FISD does not have a standardized reporting/ormat to ensure that the protocols oftheir "Loss\nor Compromise ofPI!" policy are documented and completed in a timely manner.\nSpecifically, we found that neither ofthe two incidents reviewed were reported by FISD\n employees to the OPM Situation Room within 30 minutes ofdiscovery. In addition, one incident\nwasnot immediately reported by the Supervisor/Designee to the FISD Incident Response Team\n nor was the incident report sent to the FISD Incident Response Team withinfour hours of\ndiscovery, as required by the policies. Details ojthe incidents were provided to FISD separate\nfrom this report.\n\n\n                                               5\n\n\x0cFISD \'s policy for the "Loss or Compromise ofPersonally Identifiable Information ", effective\nNovember 19, 2007, states that when an incident is detected by a FISD employee the following\nparties must be notified within 30 minutes, regardless ofthe time ofday-\xc2\xad\n\n           \xe2\x80\xa2 \t local police department if the information is lost due to a theft;\n           \xe2\x80\xa2 \t OPM\'s Situation Room,- and\n           \xe2\x80\xa2 \t immediate Supervisor/Designee.\nIn addition, FISD \'s policy states that the Supervisor/Designee must perform the following\nprotocols when notified ofan incident:\n\n           \xe2\x80\xa2 \t Immediately send an email, with all details known thus far, to the FISD Incident\n               Response Team, and\n           \xe2\x80\xa2 \t Within four hours ofnotification, working with the employee, the\xc2\xb7\n                Supervisor/Designee must prepare an incident report, document the timeline of\n                events, and prepare an inventory ofthe case material potentially compromised.\n                These documents must be sent to the second level supervisor and the FISD\n              . InCident Response Team.\n\nJfincidents are not reported limely, there is a delay in notifying the affected individuals ofthe\nsituation and the options available to protect their identities from the possibility oftheft-\n\nRECOMMENDATION 5:\n\nWe reconunend that FISD establish a standardized reporting format to ensure that incidents are\ndocumented and reported to the appropriate parties within the timeliness standards outlined in\ntheir Loss and Compromise of PII policy.\n\nMANAGEMENT RESPONSE: PARTIAL CONCURRENCE. A standard format was\nestablished and issued to all FISD personnel. It has been updated once since its initial issue. The\nform will be modified to specifically include Supervisor/Designee responsibilities to ensure that\ntimeliness requirements are met. Anticipated completion date is February 28, 2009.\n\nFINDING Cl: Lack of Controls for the Timely Return of Investigative Case Notes\n\nCAeI and Kroll do not have controls in place to ensure that investigative case notes are returned\nto headquarters within two weeks, as required by their contract with FISD. DELETED BY DIG\n  - NOT RELEVANT TO THE REPORT                            . Details regarding the cases were\nprovided Lo FISD separate from this report.\n\nWe judgmentally selected 10 oul of 28 closed cases thai were tracked by CAC! as ofApril 24, \n\n2008; 10 out of209 cases that were closed by Kroll on February 27, 2008; and 10 oul ofan \n\nunknown number ofcases that were closed by USIS as ofFebruary 29, 2008. We reviewed these \n\ncase files to determine if the relaled cases notes were mainlained at Ihe Contractors\' \n\n                                                                                                      /\n\nheadquarters and were returned within twa weeks ofthe completion ofeach case.\n\n                                                6\n\x0cUpon completion ofa background investigation (case), investigators transmil the closed case to\nFISD via the Personnel Investigations Processing Systems (PIPS). All case notes and\ndocumentation related to the closed case must be returned to their appropriate headquarters\nwithin two weeks after an investigation is completed. Both CAC! and Kroll have methods of\ntracking cases when they are initially sent 10 investigators and when the cases are returned to\nheadquarters. For instance, CACI uses a log to track when cases are sent to investigators, when\nthe closed cases are transmitted to FISDin PIPS, and the date that case notes are received by\nheadquarters. Kroll uses a PIPS report to show when closed cases are transmitted to FISD.\nKroll also documents the receipt ofcase notes at headquarters in Microsoft Access.\n\nEven though CACI and Kroll have methods ofdocumenting when case notes are received by\ntheir headquarters they are not tracking the number ofdays between the date the cases are\ntransmitted in PIPS and the date the case notes are received at their respective headquarters. In\naddition, they do not have written policies and procedures in place that require the investigators\nto return case notes within the two weeks after an investigation is transmitted to FISD in PIPS.\n\nFISD\'s contract with CAeI and Kroll states that "within two weeks ofa completed investigation,\nthe Contractor shall be in possession ofall investigator and investigative technician notes, case\nmaterial sent to investigators and investigative technicians, and all other investigative materials.\n... The material retained by the Contractor shall be located at the Contractor\'s Program\nManagement Office (PMO). "\n\nIf case notes are not returned within two weeks, as required by the FISD contract, there is an\nincreased risk that PII may be compromised, lost, or stolen.\n\nRECOMMENDATION 6:\n\nWe reconunend that FISD require CACI and Kroll to implement controls to ensure that the\ni~vestigative case notes are returned to the Contractor\'s PMO within two weeks of a completed\ninvestigation, as required by the FISD Contract.\n\nMANAGEMENT RESPONSE: CONCURRENCE. Inspections will be completed\nbeginning in the 2nd Quarter of FY09 to review Contractor note collection procedures and to\ndetermine if the documented procedures are being followed. Inspection locations will be\nselected on a random basis. In the event that a specific region is identified as having a high\nincident rate of reported PH loss or compromise, that region will be specifically targeted for\ninspection.\n\nRECOMMENDATION 7:\n\n\n\n                   DELETED BY DIG - NOT RELEVANT TO THE REPORT\n\n\n\n\n                                               7\n\x0c                 DELETED BY OIG -NOT RELEVANT TO THE REPORT \n\n\n\n\n\nFINDING C2: Lack of Coo trois over the Return of Investigative Case Notes\n\nWe judgmentally selected 10 auf of 12, 363 cases that were closed by FISD investigators between\nFebruary J and February 29, 200B- We requested the case notes 10 determine if the notes were\nreturned to and maintained at FISD headquarters.\n\nWe concluded that FISD could not provide the case notes related to one case because the notes\nwere destroyed prior to the three year retention period We also noted that FISD does not have\ncontrols (i.e. a reconciliation process) in place to ensure that all closed cases are returned once\na case is closed in PIPS. FISD slaled that the case notes related to the one case in our sample\n\n                                               8\n\x0cwere destroyed prior to the three year retention period because the retention policy was not\nclearly understood by its employee(s).\n\nUpon completion 0/ a background investigation, the investigator will close the case in PIPS.\nInvestigative case notes related to the closed cases are manifested by the FISD field offices,\nboxed up, and shipped to FISD headquarters. A tracking number is assigned to each box of\nclosed cases. The tracking numbers and manifests are transmitted to FISD headquarters where\nthe tracking numbers are compiled into a list and verified against the boxes that.are received by\nFISD headquarters/or the week to ensure that all notes that were manifested are accountedfor.\nOnce all tracking numbers have been verified as received, the list oftracking numbers is\ndiscarded. The case notes that are returned to FISD headquarters are maintained for a period\nofthree years before they are destroyed.\n\nFISD \'s policy issued on February 22, 2008 states that all original case notes must be maintained\nfor a period ofthree years after the case is closed.\n\nThe Office ofManagement and Budget (OME) Circular A-123 states that procedures may vary;\nhowever, there should be a clear, organized method with a well-defined documentation process\nthat is auditable, verifiable, and defines a specific documentation retention period.\n\nOMB Circular A-i23 also requires the development and maintenance o/internal control\nactivities that comply with standards such as control environment, risk assessment, and\nmonitoring.\n\nWithout specific guidance for tracking, returning and maintaining case notes, there is an\nincreased risk that PII will be compromised, 10SI, or stolen.\n\nRECOMMENDATION 8:\n\nWe!~commend      that FISD ensure that its employees have a clear understanding of the\ndestruction policy related to case notes and case materials, as required by OMB A-123.\n\nMANAGEMENT RESPONSE: PARTIAL CONCURRENCE. While it is true the notes\nwere destroyed prior to the three year period, at that time notes could be destroyed 30 days after\nthe case was closed. There had been a misinterpretation of FISD\'s records schedule, resulting in\nguidance to destroy notes in 30 days after case closing. When a revised scheduled was submitted\nto NARA, they brought to our attention that we could not destroy original notes in less than 3\nyears unless we obtain GAO approval to do so. Once we were infonned of the need t<? maintain\nthese for three years we put into procedures to maintain them and currently have procedures in\nplace to return these case notes to Boyers for the three year retention.\n\nFISD is working with records retention specialists at GAO and NARA to get the language\nchanged to allow retention for 30 days versus three years. However, FISD does not dispute the\nfact that once this policy issue is resolved, reinforcing the rules throughout FISD would be a\nuseful initiative so our plan is to include this topic in the annual PH training that all FISD staff\nwill be receiving later this year.\n                                                9\n\x0cRECOMMENDATION 9:\n\nWe recommend that FISD implement internal controls for monitoring the return of case notes for\ninvestigations closed in PIPS, in compliance with OMB A-123.\n\nMANAGEMENT RESPONSE: PARTIAL CONCURRENCE. FISD policy has been\nchanged to require all case notes to be returned to Boyers for storage for the three year retention\nperiod. This policy has been shared with all field elements and we are confident that in the\noverwhelming majority of cases this policy is being followed. FISD staff regularly conducts\nspot checks to ensure that case notes are being returned for closed cases.\n\nRECOMMENDATION 10:\n\nWe recommend that FISD develop internal controls to effectively monitor and document the\nremoval and return of PH for telework .\n\n. MANAGEMENT RESPONSE: CONCURRENCE. The Associate Director, FISD\nsuspended all telework and/or flex i-place for all FISD employees or contractors effective\nNovember 19,2007. In the event that this suspension is ever lifted, FISD will develop and put in\nplace appropriate internal controls to ensure 100% accountability of any material removed from\na FISD facility. .                   .\n\nPlease contact me if you have any~ require any additional information. I have\ninstructed my lead for this effort,~ to keep your office undated as corrective actions\nare completed.\n\ncc: David Cushing, Deputy CFO\n\n\n\n\n                                               10 \n\n\x0c'